In April 2016, 11.5 million sensitive documents were leaked in what became known as the Panama Papers scandal. These documents exposed an alarming array of sensitive data, revealing a number of controversial and confidential pieces of information.
The 2017 Mobile Leak Report, while not as far-reaching in scope, explores a similar theme. Researchers at Wandera uncovered more than 200 well-known apps and mobile websites that were exposing sensitive consumer and enterprise information during 2016.
Where were the leaks coming from?
Categorizing the 200+ sites and apps by type reveals that more leaks were present in certain segments than others.
More than 59% of all the leaks identified were from just three categories: news & sports, business & industry and shopping. A further 28% were from another four: travel, entertainment, lifestyle and technology.
Leaks that might surprise you
Although the total volume of leaks spotted in the social media, finance and productivity categories is lower than elsewhere, CIOs would probably be surprised that there were any at all.
Productivity tools are critical to the mobility programs of most enterprises, and without platforms like Microsoft’s Office or Evernote, there might be far less need for smartphone-enabled workforces in the first place. Around 3% of the identified data leaks were in this category: troubling news for security-conscious mobility leaders.
Not safe for work, and not safe anyway
The majority of the 200+ data leaks included in this report stem from categories that most CISOs would consider to be safe from threat. But there are also other more obvious candidates for data leaks.
Gambling, scam, adult and ad networks are by far the biggest risks for businesses. While most Wandera customers opt to filter content from these ‘not safe for work’ categories, not all organizations have these kinds of systems in place.
Pornography and other adult content categories are notorious for lax handling of PII. In fact, 40 out of the top 50 adult sites were exposed at the time of research.
The personal data of more than 800,000 users of the adult site Brazzers was exposed in September 2016, followed by a successful attack on 400 million accounts on the AdultFriendFinder network in November. A year previously, the controversial extra-marital dating app Ashley Madison was hacked, revealing the PII of every single user in its database.
Understanding the potential impact of a PII leak
The nature of the data being leaked, while not always powerful on its own can often amount to the keys to the kingdom. For example, a ‘man-in-the-middle’ attack involves a malicious actor inserting themselves between the device and the web server it’s trying to communicate with in order to access unencrypted data. It can happen when a device is connected to an open Wi-Fi network, like those you’ll find at a cafe, hotel or airport.
When a leaking site or app is being used on such a connection, the unencrypted information can be harvested by the malicious actor. Depending on what is being leaked it could involve credit card theft, identity theft, or even the reuse of login credentials to access a corporate network.
With this in mind, any employee with remote network access via their mobile, could be considered be a prized target for an attacker looking to access sensitive corporate data.
The “Panama Papers” of mobile leaks
The 2017 Mobile Leak Report found more than 200 mobile websites and apps leaking personally identifiable information across a range of categories – including those that are essential for work. Read the report to see which types of apps present the highest risk to your sensitive corporate data.